# A Watermark-Based In-Situ Access Control Model for Image Big Data

^{1}

^{2}

^{3}

^{4}

^{5}

^{*}

## Abstract

**:**

## 1. Introduction

- We propose a watermark-based access control model, allowing objects being accessed to integrate together with access control strategies.
- We propose a hierarchical key-role-area access control model for images with large size such as geographic graphs and remote sensing graphs. We also propose a hierarchical key generation method that can guarantee fine-grained access privileges.

## 2. Related Work

## 3. Problem Formulation

#### 3.1. System Model

#### 3.2. Attack Models

#### 3.2.1. Transferring Attack

**Proposition**

**1.**

**Proof.**

**Proposition**

**2.**

**Proof.**

#### 3.2.2. Distributed Denial of Service (DDoS) Attack

#### 3.2.3. Coarse Access

#### 3.2.4. Physical Copy Attack

**Proposition**

**3.**

**Proof.**

#### 3.3. Design Goals

**Remark**

**1.**

## 4. Proposed Scheme

#### 4.1. Basic Settings

- Accessors registration. Accessors register for data access on servers. They are assigned a role or multiple roles by servers.
- Data publication. Servers who are data publishers or distributors embed access control policies via watermarks in data such as images. Data is published, in which certain areas or layers may be encrypted by secret keys related to control policies.
- Client conformance. Accessors request images via particular client tools, such as image browsers. Client tools ask accessors to present their roles and secret keys. Client tools enforce control policies by parsing from watermarks that are embedded in images, and decrypt corresponding areas or layers in images by responding secret keys.

#### 4.2. Hierarchical Key-Role-Area Access Control Model

- $V=\{KEY,ROLE,AREA\}$
- $E=\{{E}_{k2k},{E}_{r2k},{E}_{a2r}\}$;
- ${E}_{k2k}=\langle from,to\rangle ,from,to\in KEY$;
- ${E}_{r2k}=\langle from,to\rangle ,from\in ROLE,to\in KEY$;
- ${E}_{a2r}=\langle from,to\rangle ,from\in AREA,to\in ROLE$.

- Hierarchical Keys
- (a)
- $KEY::=\langle l,c\rangle ,$ where $l\in \mathbb{N}$ is a key level, and $c\in \mathbb{N}$ is a key column. Keys should be classified into different levels. In other words, a key has two metrics: one is key level denoted as l, and the other is key column denoted as c.
- (b)
- $K2L:k\in KEY\to l\in \mathbb{N},$ where $KEY$ is a set of keys; l is a natural number representing key level. It is a function. It does not need to be not one-to-one. That is, multiple keys may map to one level. It is on-to. We denote the $k\in KEY$ with level l as $k[l,\xb7].$ If multiple keys map to the same level l, we distinguish them as $k[l,c],c\in \mathbb{N}.$
- (c)
- $K2C:k\in KEY\to c\in \mathbb{N},$ where $KEY$ is a set of keys; c is a natural number representing key column. It is a function. It does not need to be one-to-one. That is, multiple keys may map to one column index. It is on-to. We denote the $k\in KEY$ with index c as $k[\xb7,c].$ If multiple keys map to the same column c, we distinguish them as $k[l,c],l,c\in \mathbb{N}.$
- (d)
- $k[l+1,c]\Leftarrow g\left(k\right[l,c\left]\right)$, where $k[l,c]\in KEY$ and $\forall l\in \mathbb{N}$. That is, $\forall l\in Se{t}_{l}=\left\{\ell \right|\ell =K2L(k[l,c]\in KEY)\}$, $c\in Se{t}_{c}=\left\{{c}^{\prime}\right|{c}^{\prime}=K2C\left(k[l,c]\right)\}$. $g(\xb7)$ is a one-way function. It is computationally infeasible to obtain x from $g\left(x\right)$, where $x\in KEY.$
- (e)
- $k[j,c]$ can be computed from any $k[i,c]$ ($i<j$) by $k[j,c]={g}^{j-i}\left(k[i,c]\right),$ where $\forall i,j\in Se{t}_{l},c\in Se{t}_{c},$${g}^{m+1}(\xb7)=g\left({g}^{m}(\xb7)\right),m\in Se{t}_{l},{g}^{1}(\xb7)=g(\xb7).$ Similarly, $\forall j>i,$$k[j,c]$ can be computed from $k[i,c]$ by $k[j,c]={g}^{j-i}\left(k[i,c]\right),$ where $\forall i,j\in Se{t}_{l},c\in Se{t}_{c},$${g}^{m+1}(\xb7)=g\left({g}^{m}(\xb7)\right),m\in Se{t}_{l},{g}^{1}(\xb7)=g(\xb7).$

Simply speaking, a key with a larger key level can be derived from any key with smaller key levels in the same key column. If accessors possess a key of a smaller level, they can derive all keys with larger key levels in the same key column. Thus, a larger-level key can decrypt the data encrypted by a smaller-level key, but not inversely. - Hierarchical Roles
- (a)
- $ROLE::=\langle l,c,u\rangle ,$ where l is a key level, c is a key column, and u is an identification to distinguish multiple roles for the same key. As multiple roles may map to the same key with $k[l,c]$, multiple identifications (e.g., u) are required for the distinction of multiple roles.
- (b)
- $R2K:r\in ROLE\to k\in KEY$, where $ROLE$ is a set of roles; $KEY$ is a set of keys. It is a function. It does not need to be one-to-one. That is, multiple roles may map to one key. We denote $r\in ROLE$ that maps to the same key $k[l,c]$ as $r[l,c,u],l,c,u\in \mathbb{N}.$$R2K(\xb7)$ is on-to.Simply speaking, multiple roles may be related to one key. Regarding the privileges for images, the mainly one is “read”. A role with smaller (higher) levels can access all objects that can be accessed by roles with larger (lower) levels. Each role will be mapped to a key.
- (c)
- $R2L:r\in ROLE\to l\in \mathbb{N},$ where $ROLE$ is a set of roles; l is a natural number representing a key level. Note that $\forall r\in ROLE,R2L\left(r\right)\Leftarrow K2L\left(R2K\right(r\left)\right).$ That is, roles are also hierarchically classified into different levels.
- (d)
- $R2C:r\in ROLE\to c\in \mathbb{N},$ where $ROLE$ is a set of roles; c is a natural number representing a column number. Note that $\forall r\in ROLE,R2C\left(r\right)\Leftarrow K2C\left(R2K\right(r\left)\right).$ This function returns a key index (in terms of key column) for a role, which can be used for guaranteeing derivative relationship between keys.
- (e)
- $R2U:r\in ROLE\to u\in \mathbb{N},$ where $ROLE$ is a set of roles; u is a natural number representing users who are associated to the same key. Note that $\forall {r}_{1},{r}_{1}\in ROLE,$ if $R2K\left({r}_{1}\right)=R2K\left({r}_{2}\right),$ then $R2U\left({r}_{1}\right)\ne R2U\left({r}_{2}\right).$

The model proposed above is illustrated in Figure 3. - Differentiate Areas by Roles
- (a)
- $AREA::=\langle l,c,u,i\rangle $, where l is a key level; c is a column number; u is an identification to distinguish multiple roles for the same key; i is an identification to distinguish multiple areas for the same role. Note that ${\cap}_{l,c,u,i}a[l,c,u,i]=\varnothing .$
- (b)
- $A2R:a\in AREA\to r\in ROLE$ is a function. It does not need to be one-to-one. That is, multiple areas may be assigned to one role. As r is a tuple with thre elements, a is a tuple with four elements.
- (c)
- $A2K:a\in AREA\to k\in KEY$ is a function. It does not need to be one-to-one. Note that $\forall a\in AREA,A2K\left(a\right)\Leftarrow R2K\left(A2R\right(a\left)\right).$
- (d)
- $A2L:a\in AREA\to l\in \mathbb{N}$. Note that $\forall a\in AREA,A2L\left(a\right)\Leftarrow R2L\left(A2R\right(a\left)\right).$
- (e)
- $A2C:a\in AREA\to c\in \mathbb{N}$. Note that $\forall a\in AREA,A2C\left(a\right)\Leftarrow R2C\left(A2R\right(a\left)\right).$
- (f)
- $A2U:a\in AREA\to u\in \mathbb{N}$. Note that $\forall a\in AREA,A2U\left(a\right)\Leftarrow R2U\left(A2R\right(a\left)\right).$

**Remark**

**2.**

#### 4.3. Image Publication

- Servers select an image to publish. Corresponding areas (e.g., $a\in AREA$) in this image are split according to security concerns and assigned to different roles. Areas are layered into different security levels, such that roles who can access higher security level (with larger key level) will be able to access lower security levels (with smaller key level). Servers formulate access control strategies by $ACL::=\langle ROLE,AREA\rangle $, where $\forall a\in AREA,\exists r=A2R\left(a\right)\in ROLE$.
- Servers code access control strategies into watermarks and embed them into published images. For example, QR codes can be used as watermarks, and strategies are coded into QR codes.
- Servers maintain a table for the image $TBL::=\langle a\in AREA,f\left(A2K\right(a\left)\right)\rangle $, and encrypt specific areas in images with corresponding keys. For example, servers encrypt a by $f\left(A2K\right(a\left)\right)$. $f(\xb7)$ is a one-way function. $f\left(A2K\right(a\left)\right)$ instead of $A2K\left(a\right)$ is stored for better confidentiality. $A2K(\xb7)$ is initialized by servers in $HKRAGraph$.
- $\forall a\in AREA$ in this image, a is encrypted by $f\left(A2K\right(a\left)\right),$ and note that all $K2C\left(A2K\right(a\left)\right)$ are identical.
- $\forall {a}_{1},{a}_{2}\in AREA$ in an image, we have $A2C\left({a}_{1}\right)=A2C\left({a}_{2}\right)$. Simply speaking, for all areas in one image, encrypt keys must be in the same column index.
- $\forall {a}_{1},{a}_{2}\in AREA$ in an image, if $A2L\left({a}_{1}\right)=A2L\left({a}_{2}\right)$, then $A2K\left({a}_{1}\right)=A2K\left({a}_{2}\right)$ due to $A2C\left({a}_{1}\right)=A2C\left({a}_{2}\right)$.

#### 4.4. Client Conformance

- Accessors request images via a particular client tool (e.g., image browser).
- The browser prompts to ask for and obtain a secret key ${k}^{\prime}$ and a role ${r}^{\prime}$ corresponding to an accessor.
- The browser extracts a QR code, obtains access control strategies (i.e., $ACL::=\langle ROLE,AREA\rangle $). All $a\in ACL.AREA$ are obtained for ${r}^{\prime}\in ACL.ROLE$. That is, $A2R\left(a\right)={r}^{\prime}.$
- The browser computes $f\left({k}^{\prime}\right)$, and decrypts all areas for ${r}^{\prime}$ (i.e., a). Note that the key is not stored in the browser, and only $f\left({k}^{\prime}\right)$ is computed temporarily by the browser and destroyed after browsing.
- Calculate all $j>l$, $k[j,c]\Leftarrow {g}^{j-l}\left(k[l,c]\right)$, $k[l,c]={k}^{\prime}$ and decrypt left areas at lower levels. That is, $a\in ACL.AREA,A2R\left(a\right)\ne {r}^{\prime}$ by $k[j,c]$.
- The browser displays all a to the accessor.
- Accessors close the browser, and the browsed image returns to its original encryption status.

**Remark**

**3.**

#### 4.5. Case Study

## 5. Security and Performance Analysis

#### 5.1. Security Analysis

**Defending Against Transferring Attack.**Images are encrypted by designated keys related to corresponding roles or accessor identifications, and accessors must present the correct keys to enable client tools to decrypt images for browsing. Encrypted images cannot be decrypted without keys, even if images are transferred to others again. Moreover, decrypted images can only be decrypted and displayed in client tools. Images will return to their original encrypted status after browsing.

**Defending Against DDoS Attacks.**As access control logics are embedded in watermarks together with images, client tools can control access policies without consulting servers and relying on networking connections. Thus, DDoS attacks for servers and networking connections are not workable.

**Defending Against Coarse Access.**Our model can differentiate the access privileges for various areas in a single image, and similarly, further access control for various layers in a single area are also possible iteratively.

**Defending Physical Copy Attack.**As visible watermarks such as QR codes or invisible watermarks are incorporated with images, anyone who obtains physical copies of images by screen capture or outside camera shooting will be traced back by watermarks. The roles and identifications can be revealed by decrypted areas in captured images and control policies in watermarks.

**Proposition**

**4.**

**Proof.**

#### 5.2. Performance Analysis

**Computation Cost.**The major computation in the scheme are as follows: encoding and decoding watermarks, encrypting and decrypting areas in images, and one-way function computation. However, encoding watermarks can be conducted only one time. Encryption is conducted one time for each image, and decryption is conducted one time for each instance of image browsing. Note that encryption and decryption cannot be avoided for image access control, as some contents must be encrypted for confidentiality. One-way function computation is lightweight (e.g., cryptographically secure hash function).

**Higher Access Throughput and Less Access Delay.**The access control policies are embedded into watermarks and distributed with images, thus it is not mandatory to consult servers for corresponding areas that can be accessed. This improves the scalability of data access. Besides, the access delay is decreased due to the absence of consulting communications latency between servers and clients.

**Efficiency.**A balance between servers and clients is preferred, instead of only relying on servers. Servers only need to attach a watermark to an image and encrypt designated areas upon data publication, which can be accomplished in a batch. Client tools only need to decode a watermark and decrypt corresponding areas. The decryption is conducted at the client side, which is much more lightweight than at the server side. The encryption and decryption are mandatory because some areas are confidential.

**Convenience.**The deployment is convenient. Particular client tools can be deployed as middle-ware over normal image browsers. Besides, communication channels and networks are not required, which brings more convenience for accessors.

## 6. Conclusions

## Author Contributions

## Funding

## Acknowledgments

## Conflicts of Interest

## References

- Facebook Says Cambridge Analytica May Have Gained 37 m More Users’ Data. Available online: https://www.theguardian.com/technology/2018/apr/04/facebook-cambridge-analytica-user-data-latest-more-than-thought (accessed on 20 June 2018).
- Xiong, H.; Choo, K.K.R.; Vasilakos, A.V. Revocable Identity-Based Access Control for Big Data with Verifiable Outsourced Computing. IEEE Trans. Big Data
**2017**, 99. [Google Scholar] [CrossRef] - Xiao, M.; Wang, M.; Liu, X.; Sun, J. Efficient distributed access control for big data in clouds. In Proceedings of the 2015 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Hong Kong, China, 26 April–1 May 2015; pp. 202–207. [Google Scholar]
- Wang, Y.; Doherty, J.F.; Van Dyck, R.E. A wavelet-based watermarking algorithm for ownership verification of digital images. IEEE Trans. Image Process.
**2002**, 11, 77–88. [Google Scholar] [CrossRef] [PubMed] [Green Version] - Moulin, P. The role of information theory in watermarking and its application to image watermarking. Signal Process.
**2001**, 81, 1121–1139. [Google Scholar] [CrossRef] - Gunjan, R.; Laxmi, V.; Gaur, M.S. Detection attack analysis using partial watermark in DCT domain. In Proceedings of the Fifth International Conference on Security of Information and Networks, New York, NY, USA, 25–27 October 2012; pp. 188–192. [Google Scholar]
- Wolfgang, R.B.; Delp, E.J. A watermark for digital images. In Proceedings of the 3rd IEEE International Conference on Image Processing, Lausanne, Switzerland, 19 September 1996. [Google Scholar]
- Wong, P.W. A public key watermark for image verification and authentication. In Proceedings of the 1998 International Conference on Image Processing (ICIP98) (Cat. No.98CB36269), Chicago, IL, USA, 4–7 October 1998; pp. 455–459. [Google Scholar]
- Kountchev, R.; Milanova, M.; Kountcheva, R. Content protection and hierarchical access control in image databases. In Proceedings of the 2015 International Symposium on Innovations in Intelligent SysTems and Applications (INISTA), Madrid, Spain, 2–4 September 2015; pp. 1–6. [Google Scholar]
- Yang, H.; Yin, J. A secure removable visible watermarking for BTC compressed images. Multimed. Tools Appl.
**2015**, 76, 1725–1739. [Google Scholar] [CrossRef] - Phadikar, A.; Maity, S.P.; Delpha, C. Data hiding for quality access control and error concealment in digital images. In Proceedings of the 2011 IEEE International Conference on Multimedia and Expo, Barcelona, Spain, 11–15 July 2011; pp. 1–6. [Google Scholar]
- Phadikar, A.; Maity, S.P. A Cost Effective Scheme for Content Verification and Access Control of Quality of an Image. In Proceedings of the 2008 IEEE Region 10 and the Third international Conference on Industrial and Information Systems, Kharagpur, India, 8–10 December 2008; pp. 1–6. [Google Scholar]
- Datta, K.; Gupta, I.S. Partial encryption and watermarking scheme for audio files with controlled degradation of quality. Multimed. Tools Appl.
**2013**, 64, 649–669. [Google Scholar] [CrossRef] - Asikuzzaman, M.; Pickering, M.R. An Overview of Digital Video Watermarking. IEEE Trans. Circuits Syst. Video Technol.
**2017**, 99. [Google Scholar] [CrossRef] - Van Gasselt, S.; Nass, A. Planetary Map Data Model for Geologic Mapping. Cartogr. Geogr. Inf. Sci.
**2011**, 38, 201–212. [Google Scholar] [CrossRef] - Han-fa, X.; Bing-liang, C.; Li-lin, X. An Mixed Access control method Based on Trust and Role. In Proceedings of the 2010 Second IITA International Conference on Geoscience and Remote Sensing, Qingdao, China, 28–31 August 2010; pp. 552–555. [Google Scholar]
- Kim, J.; Jeong, D.; Baik, D.K. A Multi-layer based Access Control Model for GIS Mobile Web Services. In Proceedings of the 2009 Digest of Technical Papers International Conference on Consumer Electronics, Las Vegas, NV, USA, 10–14 January 2009; pp. 1–2. [Google Scholar]
- Kirkpatrick, M.S.; Damiani, M.L.; Bertino, E. Prox-RBAC: A proximity-based spatially aware RBAC. In Proceedings of the 19th ACM SIGSPATIAL International Conference on Advances in Geographic Information Systems, New York, NY, USA, 1–4 November 2011; pp. 339–348. [Google Scholar]
- Ma, F.; Gao, Y.; Yan, M.; Xu, F.; Liu, D. The fine-grained security access control of spatial data. In Proceedings of the 2010 18th International Conference on Geoinformatics, Beijing, China, 18–20 June 2010; pp. 1–4. [Google Scholar]
- Zhang, A.; Ji, C.; Bao, Y.; Li, X. Conflict Analysis and Detection Based on Model Checking for Spatial Access Control Policy. Tsinghua Sci. Technol.
**2017**, 22, 478–488. [Google Scholar] [CrossRef] - Kao, Y.W.; Luo, G.H.; Lin, H.T.; Huang, Y.K.; Yuan, S.M. Physical Access Control Based on QR Code. In Proceedings of the 2011 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, Beijing, China, 10–12 October 2011; pp. 285–288. [Google Scholar]
- Melgar, M.E.V.; Zaghetto, A.; Macchiavello, B.; Nascimento, A.C. CQR codes: Colored quick-response codes. In Proceedings of the 2012 IEEE Second International Conference on Consumer Electronics-Berlin (ICCE-Berlin), Berlin, Germany, 3–5 September 2012; pp. 321–325. [Google Scholar]
- Available online:. Available online: https://zhfw.tianditu.gov.cn/ (accessed on 20 June 2018).

**Figure 5.**A combinative map of Shanghai with multiple layers. The first one is sensing image. The second one is a geologic map. The third one is a city planning map.

Performance | Our Scheme | R. Wolfgang [7] | R. Kountchev [9] | RVM [10] | A. Phadikar [11] |
---|---|---|---|---|---|

1. Hierarchical access control | ✓ | ✗ | ✓ | ✗ | ✗ |

2. Code access control strategies in watermarks | ✓ | ✗ | ✗ | ✗ | ✗ |

3. Access control can take effect without servers | ✓ | ✗ | ✗ | ✗ | ✗ |

4. Watermarks are used for access control | ✓ | ✗ | ✓ | ✓ | ✓ |

5. Record modifiers in watermarks | ✓ | ✗ | ✗ | ✗ | ✗ |

6. Copyrights protection | ✓ | ✓ | ✓ | ✓ | ✓ |

7. Quality access control | ✓ | ✗ | ✗ | ✓ | ✓ |

8. Fine-grained | ✓ | ✗ | ✗ | ✗ | ✗ |

© 2018 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

## Share and Cite

**MDPI and ACS Style**

Guo, J.; Ren, W.; Ren, Y.; Zhu, T.
A Watermark-Based In-Situ Access Control Model for Image Big Data. *Future Internet* **2018**, *10*, 69.
https://doi.org/10.3390/fi10080069

**AMA Style**

Guo J, Ren W, Ren Y, Zhu T.
A Watermark-Based In-Situ Access Control Model for Image Big Data. *Future Internet*. 2018; 10(8):69.
https://doi.org/10.3390/fi10080069

**Chicago/Turabian Style**

Guo, Jinyi, Wei Ren, Yi Ren, and Tianqing Zhu.
2018. "A Watermark-Based In-Situ Access Control Model for Image Big Data" *Future Internet* 10, no. 8: 69.
https://doi.org/10.3390/fi10080069